Dynamic Observers for Fault Diagnosis of Timed Systems 



Franck Cassez, Member, IEEE 



o 



oo 

o 
o 

> 

X 
S3 



Abstract — In this paper we extend the work on dynamic ob- 
servers for fault diagnosis [1], [2], [3] to timed automata. We 
study sensor minimization problems with static observers and 
then address the problem of computing the most permissive 
dynamic observer for a system given by a timed automaton. 

I. Introduction 

Discrete-event systems [4] (DES) can be modelled by 
finite automata over an alphabet of actions/events E. The 
fault diagnosis problem [5] for DES consists in detecting 
faulty sequences in the system. A faulty sequence is a 
sequence of the DES containing an occurrence of a special 
event /. It is assumed that an external observer which has 
to detect faults, knows the specification/model of the DES, 
but can partially observe the system at runtime: it is able to 
observe sequences of observable events in C E. Based on 
this knowledge, it has to announce whether an observation 
(in E*) stems from a faulty sequence (in (E U {t, /})*). 
Checking diagnosability of DES can be done in PTIME and 
computing a diagnoser amounts to determinizing the DES 
(EXPTIME) [5], [6], [7]. 

Fault Diagnosis for Timed Automata. The fault diagnosis 
problem for Timed Automata (TA) has been introduced 
and solved by S. Tripakis in [8], where he proved that 
checking diagnosability of a timed automaton is PSPACE- 
complete. In the timed case however, the diagnoser may be 
a Turing machine. In a subsequent work by P. Bouyer and 
F. Chevalier [9], the problem of checking whether a timed 
automaton is diagnosable using a diagnoser which is a 
deterministic timed automaton (DTA) was studied, and they 
proved that this problem was 2EXPTIME-complete. 
Our Contribution and Related Work. In [1], [2] (and [3] 
for an extended version), we have introduced dynamic ob- 
servers for fault diagnosis of DES. In this framework, an 
observer can choose dynamically which events it is going to 
observe and make a new choice after each occurrence of any 
(currently) observable event. In [1], [3] we have shown how 
to compute (2EXPTIME) a most permissive observer which 
represents all the the dynamic observers that ensures that a 
DES is diagnosable. In [2] we have furthermore introduced 
a notion of cost of an observer, and proved that an optimal 
observer could also be computed in 2EXPTIME. 

In this paper, we extend the previous results for sys- 
tems given by timed automata. We first settle the com- 
plexity of some optimization problems with static observers 
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(section IV i. We then focus on dynamic timed observers. 



and show how to compute (section |V]l a most permissive 
(timed) dynamic observer, under the assumption of bounded 
resources. In section [Vl] we define a notion of cost for timed 
observers (which extends the one we have defined for DES 
in[2]) and show how to compute the cost of a given observer 
We also discuss the problem of synthesizing an optimal timed 
dynamic observer. 

II. Preliminaries 

E denotes a finite alphabet and E,- — EU{t} where r ^ E 
is the unobservable action. B = {true, false} is the set of 
boolean values, N the set of natural numbers, Z the set of 
integers and Q the set of rational numbers. M is the set of 
real numbers and M>o is the non-negative real numbers. 

A. Clock Constraints 

Let be a finite set of variables called clocks. A clock 
valuation is a mapping v : X ^ lR>o- We let ]R>q be the set 
of clock valuations over X. We let Ox be the zero valuation 
where all the clocks in X are set to (we use when 
X is clear from the context). Given (5 e M, i; + (5 denotes 
the valuation defined by [v + 5){x) — v{x) + &. We let 
C{X) be the set of convex constraints on X, i.e., the set of 
conjunctions of constraints of the form x ixi c with c G Z 
and ixiG {<, <, >, >}. Given a constraint g e C{X) and 
a valuation v, we write v \= g \f g \s satisfied by v. Given 
R C X and a valuation v, v[R] is the valuation defined by 
v[R]{x) = v{x) if X ^ R and v[R]{x) = otherwise. 

B. Timed Words 

The set of finite (resp. infinite) words over E is E* (resp. 
E") and we let E°° = S* U E'*^. We let e be the empty 
word. A language L is any subset of E°°. A finite (resp. 
infinite) timed word over E is a word in (M>o.E)*.IR>o (resp. 
(M>o.E)"). Dur{w) is the duration of a timed word w which 
is defined to be the sum of the durations (in M>o) which 
appear in w\ if this sum is infinite, the duration is oo. Note 
that the duration of an infinite word can be finite, and such 
words which contain an infinite number of letters, are called 
Zeno words. 

7W*(E) is the set of finite timed words over E, 7W^(E), 
the set of infinite timed words and 7W(E) = 7W*(E) U 
7W"(E). A timed language is any subset of 7W(E). 

In this paper we write timed words as 0.4 a 1.0 b 2.7 c • • • 
where the real values are the durations elapsed between two 
letters: thus c occurs at global time 4.1. We let Unt{w) be the 
untimed version of w obtained by erasing all the durations 



in w, e.g., Unt{OA a 1.0 b 2.7 c) = abc. Given a timed 
language L, we let Unt{L) = {Unt{w) \ w E L}. 

Let TT/j;/ be the projection of timed words of 7W(S) 
over timed words of 7W(I]'). When projecting a timed 
word w on a sub-alphabet E' C S, the durations elap- 
sed between two events are set accordingly: for instance 
7r/{£i c}(0.4 a 1.0 b 2.7 c) ~ 0.4 a 3.7 c (projection erases 
some letters but keep the time elapsed between two letters). 
Given E' C E, tv/^,{L) = {tt/^, {w) \ w E L}. 

C. Timed Automata 

Timed automata (TA) are finite automata extended with 
real-valued clocks to specify timing constraints between 
occurrences of events. For a detailed presentation of the 
fundamental results for timed automata, the reader is referred 
to the seminal paper of R. Alur and D. Dill [10]. 

Definition 1 (Timed Automaton): A Timed Automaton A 
is a tuple (L, X,I]r, E,Inv, F, R) where: i is a finite 
set of locations; Iq is the initial location; X is a finite set 
of clocks; S is a finite set of actions; E C L x C{X) x 
E-r X 2'''^ X L is a finite set of transitions; for {£, g, a, r, £') e 
E, g is the guard, a the action, and r the reset set; Inv £ 
C{X)^ associates with each location an invariant; as usual 
we require the invariants to be conjunctions of constraints of 
the form x ^ c with {<, <}. F <Z L and i? C L are 
respectively the final and repeated sets of locations. ■ 
A state of yl is a pair [t, v) E L x M>q. A run g of A from 
(^Oi^^o) is a (finite or infinite) sequence of alternating delay 
and discrete moves: 

g = (4,i'o) ^ (4,^0 + (^o) ^ (^i,wi) • • • 

• • • ^"^^^ [tn, Vn) ^ + <5„) ' ' ' 

s.t. for every i > Q: 

. Vi + S \= Inv{£^) for < (5 < 6f, 

• there is some transition {£i,gi, ai,ri, £i+i) G E s.t. : (i) 
Vi + Si 1= g^ and (ii) v^+i = {vi + 6i)[ri]. 
The set of finite (resp. infinite) runs from a state s is denoted 
Runs* {s, A) (resp. Runs'^ {s, A)) and we define Runs* (A) — 
Runs*l{lo,0),A),Runs'^{A) = Runs'^ {{lo,0), A) and finally 
Runs{A) = Runs* (A) U Runs'^ (A). If g is finite and ends in 
s„, we let last{g) = Sn- Because of the denseness of the time 
domain, the transition graph of A is infinite (uncountable 
number of states and delay edges). The trace, tr{g), of a 
run g is the timed word 7r/5]((5oao(5iai • • • a,i(5„ • • • ). We let 
Dur{g) = Dur{tr{g)). For V C Runs{A), we let Tr{V) = 
{tr{g) I g€V}. 

A finite (resp. infinite) timed word w is accepted by A if it 
is the trace of a run of A that ends in an f -location (resp. a 
run that reaches infinitely often an i?-location). C*{A) (resp. 
C^{A)) is the set of traces of finite (resp. infinite) timed 
words accepted by A, and C{A) = C*{A) U C^{A) is the 
set of timed words accepted by A. In the sequel we often 
omit the sets R and F in TA and this implicitly means F ^ L 
and i? 0. 

A timed automaton A is deterministic if there is no r 
labelled transition in A, and if, whenever {£, g, a, r, £') and 



{£,g' ,a,r' ,£") are transitions of A, g A g' = FALSE. A is 
complete if from each state {l,v), and for each action a, 
there is a transition {£,g,a,r,£') such that v \= g. We note 
DTA the class of deterministic timed automata. 

D. Region Graph of a TA 

The region graph RG{A) of a TA A is a finite quotient 
of the infinite graph of A which is time-abstract bisimilar to 
A [10]. It is a finite automaton (FA) on the alphabet E' — 
EU{t}. The states of RG{A) are pairs {£, r) where ^ e L is 
a location of A and r is a region of K>o- More generally, the 
edges of the graph are tuples {s,t,s') where s,s' are states 
of RG{A) and t e E'. Genuine unobservable moves of A 
labelled r are labelled by tuples of the form (s, {g, r, r), s') 
in RG{A). An edge {g, A, R) in the region graph corresponds 
to a discrete transition of A with guard g, action A and reset 
set R. A T move in RG{A) stands for a delay move to the 
time-successor region. The initial state of RG{A) is {lo,0). 
A final (resp. repeated) state of RG{A) is a state {£, r) with 
£ E F (resp. £ E R). A fundamental property of the region 
graph [10] is: 

Theorem 1 ([10]): C{RG{A)) = Unt{£{A)). 
The (maximum) size of the region graph is exponential in 
the number of clocks and in the maximum constant of the 
automaton A (see [10]): \RGiA)\ = \L\ ■ \X\\ ■ 2l^l • ifl^l 
where K is the largest constant used in A. 

E. Product of TA 

Definition 2 (Product of two TA): Let Ai — {Li,lQ, Xi, 
12,, E^, Inv,) fori E {1, 2}, be two TA s.t. XiHXa = 0. The 
product of Ai and A2 is the TA Ai x A2 = (L,lo,X,'Sr, 
E,Inv) given by: L = Li x L2; Iq = (^0,^0); ^ = E^ UE^; 
X ^ Xi U X2; and E C L X C{X) x E^ x 2^^ x L and 
((^i,^2),<?i,2,^,r, {£[,£'2)) EE if: 

. either ere (Ei n E2) \ {r}, and (i) (4, fffc, cr, »-/c, 4) e 
Ek for /c = 1 and k ~ 2; (ii) 91^2 = 9i A g2 and (in) 

r = ri U r2; 

. or for fc = 1 or fc 2, cr e (E^ \ Es^fe) U {r}, and (i) 
{£k,gk,cF,rk,£'k) e Ek; (ii) gi,2 = gu and (Hi) r ^Vk; 
and finally /nv(^i, ^2) = Inv{£i) A Inv{£2). ■ 

III. Fault Diagnosis Problems & Known Results 
A. The Model 

To model timed systems with faults, we use timed au- 
tomata on the alphabet Et-./ = E,- U {/} where / is 
the faulty (and unobservable) event. We only consider one 
type of fault, but the results we give are valid for many 
types of faults {/i,/2,--- indeed solving the many 

types diagnosability problem amounts to solving n one type 
diagnosability problems [7]. The observable events are given 
by Eo C E and r is always unobservable. 

The system we want to supervise is given by a TA A = 
{L,lo,X,'Srj,E,Inv). Fig. [T| gives an example of such a 
system. Invariants in the automaton A are written within 
square brackets as in [a; < 3]. 




Figure 1. The Timed Automaton A 



Let A e N. A run of A 

Q = {£o,vo) ^ {io,VQ + So) {ii,vi) ■ ■ ■ 

is A-faulty if: (1) there is an index i s.t. = / and (2) 
the duration of the run g' — {ii,Vi) ^ ■ ■ ■ {in,Vn + 
Sn) ■ ■ ■ is larger than A. We let Faultyy^{A) be the set 
of A-faulty runs of A. Note that by definition, if A' > A 
then Faultyy^,{A) C Faulty^^{A). We let Faulty{A) = 
^A>oFaulty^^{A) = Faulty^^Q^A) be the set of faulty runs 
of A, and NonFaulty{A) = Runs{A) \ Faulty{A) be the set 
of non-faulty runs of A. Moreover we use 

Faulty'^^{A) = Tr{Faultyy^{A)) 

and 

NonFaulty"' {A) = Tr{NonFaulty{A)) 
which are the trace^of A-faulty and non-faulty runs of A. 

B. Diagnosers 

The purpose of fault diagnosis is to detect a fault as soon 
as possible. Faults are unobservable and only the events in 
So can be observed as well as the time elapsed between 
these events. Whenever the system generates a timed word 
w, the observer can only see 'k/^^{w). If an observer can 
detect faults in this way it is called a diagnoser. A diagnoser 
must detect a fault within a given delay A e N. 

Definition 3 ({^o, A)-Diagnoser): Let yl be a TA over the 
alphabet T,r,f, So C E and A e N. A {T.o, A)-diagnoser 
for A is a mapping D : 7W*(Eo) ^ {0, 1} such that: 

• for each g e NonFaulty(A), D{-k /-^^{g)) = 0, 

• for each g g Faulty^^{A), D{tv /^^{gj) — 1. ■ 
A is (So, A)-diagnosable if there exists a (So, A)-diagnoser 
for A. A is So-diagnosable if there is some A G N s.t. A is 
(So, A)-diagnosable. 

Example 1: The TA A in Fig. [T] with S = So = {a, b, c} 
is (S, 3)-diagnosable. For the timed words with an a fol- 
lowed by either a 6 or a c a fault must have occurred. 

'Notice that tr[g) erases r and /. 



Otherwise no fault should be reported. If Sq — {&}, in A 
there are two runs: 

Pi = (^0, 0) A (/i, 0) ^ (/2, 0) A (^2, 3) A (Z4, 3) • • • 
P2 = (^0,0) 4 (^0,3) ^ (/5,3)--- 

that satisfy fr(pi) = tr{p2), and thus A is not ({6},3)-dia- 
gnosable. To diagnose a fault in A, a must be observed. □ 

C. Classical Diagnosis Problems 

Assume A — {L,£o,X, YjT-j^EJnv) is a TA . The classical 
fault diagnosis problems are the following: 

Problem 1 (Bounded or A-Diagnosability): 
Inputs: A TA A, So C S, and A e N. 
Problem: Is A (So, A)-diagnosable? 

Problem 2 (Diagnosability): 
Inputs: A TA A and So C S. 
Problem: Is A So-diagnosable? 

Problem 3 (Maximum delay): 
Inputs: A TA A and and So C S. 

Problem: If A is So-diagnosable, what is the minimum A 
s.t. A is (So, A)-diagnosable ? 

According to Definition |3] A is So-diagnosable, iff, there 
is some A G N s.t. A is (So, A)-diagnosable. Thus A is not 
So-diagnosable iff VA e N, A is not (So, A)-diagnosable. 
Moreover a trace based definition of (So, A)-diagnosability 
can be stated a ^ A is (So, A)-dia gnosable iff 

■n /^^{Faulty'^^{A)) n 7r/^jNonFaulty"'{A)) = 0. (1) 

This gives a necessary and sufficient condition for non Sq- 
diagnosability: 

{VA e N, 
3p e NonFaultyiA) 
(2) 
3p e Faulty^^{A) s.t. 
7r/s„(p) = -^/sjp')- 

or in other words, there is no pair of runs (pi, P2) with pi G 
Faulty ^^{A), p2 G NonFaulty{A) the So-traces of which 
are equal. 

Complexity results for the diagnosis problems on timed 
automata were established in [8] (see [11] for a comprehen- 
sive study) and Problems [TJ|3] are PSPACE-complete (note 
that PSPACE-completeness akeady holds for So = S). 

IV. Sensor Minimization with Static Observers 

In this section, we extend the results of [1] to systems 
given by TA. 

Problem 4 (Minimum Cardinality Set): 
Inputs: A TA A = (L, 4, X, S^ j, E, Inv) and n e N. 
Problem: 

(A) Is there any set So C S, with |So| = n s.t. A is So- 
diagnosable ? 

(B) If the answer to (A) is "yes", compute the minimum 
value for n. 

^This definition does not take into account Zeno runs; this is not difficult 
to add and the reader is referred to [II] for more details. 



Theorem 2: Problem |4] is PSPACE-complete. 

Proof: PSPACE-easiness for (A) can be established as 
follows: guess a set with jSoj = n and check (in PS- 
PACE) whether A is So-diagnosable. This proves NPSPACE 
and thus in PSPACE. PSPACE-hardness follows from the 
reduction of Problem |2] to Problem |4] (A) with n — |S]|. This 
estabUshes PSPACE-completeness for (A). Computing the 
minimum n can be done using a binary search (dichotomy) 
and thus (B) is also in PSPACE. ■ 

The previous results also hold in a more general setting 
using masks. Masks are useful to capture the notion of 
distinguishability among observable events. Indeed, there are 
cases where two events a and b are observable but not 
distinguishable, that is, the diagnoser knows that a or h 
occurred, but not which of the two. This is not the same 
as considering a and h to be unobservable, since in that case 
the diagnoser would not be able to detect the occurrence of 
a or b. Distinguishability of events is captured by the notion 
of a mask [12]. 

Definition 4 (Mask): A mask {M, n) (of size n) over S is 
a total, surjective function M:S^-{1,-- - ,n}U {e}. ■ 
M induces a morphism M* : TW*iT,) TW*{{1, ■■■ , n}), 
where M*{e) = e and M*{a.p) = M{a).M*{p), for a e S 
and p e S*. For example, if E = {a, 6, c, d}, n = 2 and 
M{a) = M{d) = 1, M(c) = 2, M(b) = e, then we have 
M*(a 0.4 b 0.2 c 1.1 b 0.7 d) = 1 0.6 2 1.8 1. 

Definition 5 ((M,n), A)-diagnoser): Let {M,n) be a 
mask over E. A mapping D : TW* ({1, • • • , n}) — > {0, 1} is 
a ((Af, n), A)-diagnoser for A if: 

. for each p G NonFaulty{A), D{M*{tr{p))) = 0; 

. for each p e Faultyy^iA), D[M*{tr{p))) = 1. ■ 

A is ((M, n), A)-diagnosable if there is a ((M, ri),A)- 
diagnoser for A. A is said to be (M, n)-diagnosable if 
there is some A such that A is ((M, n), A)-diagnosable. 
Given a mask (Af, n) and A, checking whether A is (Af , n)- 
diagnosable can be done in PSPACE: it suffices to replace 
each event a e E by M{a) and check for diagnosability. It 
is PSPACE-complete as using an identity mask of cardinality 
|E| solves Problem |2] 

The counterpart of Problem]?] with masks is the following: 

Problem 5 (Minimum Cardinality Mask): 
Inputs: A TA ^4 = (L, 4, X, E^j, £:,/nv) and n e N. 
Problem: 

(A) Is there any mask (A/, n), s.t. A is (Af, n)-diagnosable? 

(B) If the answer to (A) is "yes", compute the minimum 
value for n. 

Theorem 3: Problem |5] is PSPACE-complete. 

Proof: PSPACE-easiness is proved by: 1) guessing a 
mask {M,n) and checking (in PSPACE) that A is (A/, rt)- 
diagnosable. PSPACE-hardness is proved as follows. If there 
is a mask (M, n) with n = |E| s.t. A is (A/, n)-diagnosable, 
then, as Af is surjective, it must be the case that AI is a one- 
to-one mapping from E to {1, • • • , n}. It follows that A is E- 
diagnosable. Conversely, assume E = {ai, ■ ■ ■ ,a„}. If A is 
E-diagnosable then there is a mask (Af, |E|) with Af (a^) = 
i s.t. A is (Af, |E|)-diagnosable. Hence Problem ]5]( A) is 



PSPACE-complete. Problem ]5](B) can be solved in PSPACE 
as well using a binary search. It is not difficult to reduce 
reachability for TA with one action to checking whether there 
is a mask of size 1 and thus Problem ]5](B) is PSPACE- 
complete. ■ 
Remark 1: The assumption that a mask is surjective can 
be lifted still preserving Theorem ]3] Indeed, if there is 
a mask ( Af, |E|) s.t. A is (Af, |E|)-diagnosable and Af 
is not surjective, then we can build (Af, |E|) with Af' 
surjective s.t. A is (Af, |E|)-diagnosable (intuitively, Af is 
more discriminating than Af and has a greater distinguishing 
power). 

V. Sensor Minimization with Dynamic Observers 

The use of dynamic observers was akeady advocated for 
DES in [1], [3]. We start with an example that shows that 
dynamically choosing what to observe can be even more 
efficient using timing information. 

Example 2: Let A be the automaton of Figure ]T] To 
diagnose A, we can use a dynamic observer that switches a, 
b and c-sensors on/off. If we do not measure time, to be able 
to detect faults in A, we have to switch the a sensor on at 
the beginning. When an a has occurred, we must be ready 
for either an 6 or a c and therefore, switch on the b and c 
sensors on. A dynamic observer must thus first observe {a} 
and after an occurrence of a, observe {6, c}. 

If the observer can measure time using a clock, say y, it 
can first switch the a sensor on. If an a occurs when y < 2, 
then switch the b sensor on and if y > 2 switch the c sensor 
on. This way the observer never has to observe more than 
event at each point in time. □ 

A. Dynamic Observers 

The choice of the events to observe can depend on the 
choices the observer has made before and on the observations 
(event, time-stamp) it has made. Moreover an observer may 
have unbounded memory. The following definition extends 
the notion of observers introduced in [1] to the timed setting. 

Definition 6 ( Observer): An observer Obs over E is a de- 
terministic and complete timed automaton Obs ~ (N, no, Y, 
S, 5, /wjrue) together with a mapping O : N ^ 2^, 
where iV is a (possibly infinite) set of locations, tiq E N 
is the initial location, E is the set of observable events, 
^ : X E X C(Y) x 2"^ is the transition function 

(a total function), and O is a labeling function that specifies 
the set of events that the observer wishes to observe when it 
is at location n. The invarianj^/nvxRUE maps every location 
to TRUE, implying that an observer cannot prevent time from 
elapsing. We require that, for any location n and any a G E, 
if a ^ 0{n) then S{n, a, •) = (n, 0): this means the observer 
does not change its location nor resets its clocks when an 
event it has chosen not to observe occurs. ■ 
As an observer is deterministic we let 6{no,w) denote the 
state (n, v) reached after reading the timed word w and 
O{6{no,w)) is the set of events Obs observes after w. 

^In the sequel, we omit the invariant when a TA is an observer, and 
replace it by the mapping O. 



An observer defines a transducer which is a mapping {Obsj : 
7W*(E) 7W*(S). Given a word w, lObsj{w) is the out- 
put of the transducer on w. It is called the observation of w 
by the observer Obs. 

B. Diagnosability with Dynamic Observers 

Definition 7 ({Obs, A)-diagnoser): Let A be a TA over 
S^j and Obs be an observer over E. D : TW*{T,) {0, 1} 
is an {Obs, A)-diagnoser for A if: 

. Vp G NonFaulty{A), D{[Obs\{tr{p))) = and 

. Vp e FflM/f3;>^(A), (rr(p))) = 1. ■ 

A is ((9fei, A)-diagnosable if there is an {Obs, A)-diagnoser 
for A. A is O^s-diagnosable if there is some A such that A 
is {Obs, A)-diagnosable. 

We now show how to check OZ^i-diagnosability when the 
observer Obs is a DTA. 

Problem 6 (Deterministic Timed Automata Observers): 
Inputs: A TA A = {L, £o, X, J2r.f,E, Inv) and an observer 
given by a DTA Obs = {N, no,Y, E, 6, O). 
Problem: 

(A) Is A (9fei-diagnosable? 

(B) If the answer to (A) is "yes", compute the minimum 
A e N s.t. A is {Obs, A)-diagnosable. 

Theorem 4: Problem |6] is PSPACE-complete. 

Proof: PSPACE-hardness follows from the fact that 
taking an observer which always observes Eq C E solves 
Problem |2] We prove that Problem |6] is in PSPACE. The 
following construction is an extension of the one for DBS [3]. 
Recall that Obs is complete. Define the timed automaton 
A®Obs = {L-xN, {eo,no),XLlY,T,rj,^,Invg,) as follows: 
Inv^{£, n) — Inv{£) and the transition relation — >■ is given by: 

• {I, n) > {I , n ) ifr dA e E s.t. £ > 

£', {n', Y') = 8{n, X, g') and /3 = A if A e 0{n), {3 ^ t 
otherwise; 

. n) SE:^ (f , „) iff 3A e {r, /} s.t. £ JiiMl^ f . 

The TA A (g) Obs is an unfolding of A which reveals what 
is observable at each product location. 

From the previous construction, it follows that: for each 
A e N, A is {Obs, A)-diagnosable iff A (g) Obs is (E, A)- 
diagnosable. As the size of A(E) Obs is \A\ x \Obs\, we can 
solve Problem |6](A) in PSPACE. Problem |6](B) can also be 
solved using a binary search, in PSPACE. ■ 

C. Synthesis of the Most Permissive Dynamic Diagnoser 

In this section we address the problem of synthesizing a 
DTA dynamic observer which ensures diagnosability. Fol- 
lowing [3], we want to compute a most permissive observer 
(0 if none exists), which gives a representation of all the 
good observers. Indeed, checking whether there exists a DTA 
observer Obs s.t. A is OZj^-diagnosable is not an interesting 
problem: it suffices to check that A is E-diagnosable as 
the DTA observer which observes E continuously will be 
a solution. 

When synthesizing (deterministic) timed automata, an im- 
portant issue is the amount of resources the timed automaton 
can use: this can be formally defined [13] by the (number of) 



clocks, Z, that the automaton can use, the maximal constant 
max, and a granularity — . As an example, a TA of resource 
/i = ({c, d}, 2, i) can use two clocks, c and d, and the clocks 
constraints using the rationals —2 < k/m < 2 where k E Z 
and TO = 3. A resource ii is thus a triple ji = (Z, max, ^) 
where Z is finite set of clocks, max e N and ^ e Q>o is 
the granularity. DTA^ is the class of DTA of resource /i. 

Remark 2: Notice that the number of locations of the DTA 
in DTAp is not bounded and hence this family has an infinite 
(yet countable) number of elements. 

We now focus on the following problem : 
Problem 7 (Most Permissive Dynamic A-Diagnoser): 
Inputs: A TA A = {L,£o,X,T,rj,E,Inv), A e N, and a 
resource /i = (Z, max, ;^). 

Problem: Compute the set O of all observers in DTA^, 
s.t. A is {Obs, A)-diagnosable iff Obs e O. 
For DES, the previous problem can be solved by computing 
a most permissive observer, and we refer to [3] section 5.5 
for the formal definition of the most permissive observer. 
This can be done in 2EXPTIME [3], and the solution 
is a reduction to a safety control problem under partial 
observation. For the timed case, we cannot use the same 
solution as controller synthesis under partial observation is 
undecidable [13]. The solution we present for Problem |7] is 
a modification of an algorithm originally introduced in [9]. 

D. Fault Diagnosis with DTA [9] 

In case a TA A is Eo-diagnosable, the diagnoser is a 
mapping [8] which performs a state estimate of A after a 
timed word w is read by A. For DES, it is obtained by 
determinizing the system, but we cannot always determinize 
a TA A (see [10]). And unfortunately testing whether a timed 
automaton is determinizable is undecidable [14], [15]. 

P. Bouyer and F. Chevalier in [9] considers the problem 
of deciding whether there exists a diagnoser which is a DTA 
using resources in /i: 

Problem 8 (DTA^ A-Diagnoser [9]): 
Inputs: A TA A = {L,£o,X,T,r,f,E,Inv), A e N, and a 
resource /i ~ (Z, max, ^). 

Problem: Is there any D e DTA^ s.t. A is (L),A)-dia- 
gnosable ? 

Theorem 5 ([9]): Problem |8] is 2EXPTIME-complete. 

The solution to the previous problem is based on the 
construction of a two-player game, the solution of which 
gives the set of all DTA^ diagnosers (the most permissive 
diagnosers) which can diagnose A (or is there is none). 

We recall here the construction of the two-player game. 

Let A = {L, £o, X, E^ j, Inv) be a TA, E^ C E. Define 
A{A) = (ii U La U L3,tl,X U {2}, E^j, ->a,/«va) as 
follows: 

» Li = {t , £ E L}, for i E {1, 2, 3}, i.e., Li elements are 
copies of the locations in L, 

• z is (new) clock not in X, 

. for ^ e L, Inv{£^) = Inv{£), Inv{£^) = Inv{£) A z < A, 
and Inv{£^) = TRUE, 

• the transition relation is given by: 



for i e {1,2,3}, t 

{g,a,R) 



if a 7^ / and 



e 



for i e {2,3}, 

[gJ-.R) 



(aJ.R) 



if a 7^ / and 



e 



(g,/,flU{^}) 



>A 
>A 



if a 7^ / and 



The previous construction creates 3 copies of A: the system 
starts in copy 1, when a fault occurs it switches to copy 
2, resetting the clock z, and when in copy 2 (a fault has 
occurred) it can switch to copy 3 after A time units. We can 
then define L\ as the non-faulty locations, and L3 as the 
A-faulty locations. 

Given a resource /i = (Y,max, — ) (X n F = 0), a 
minimal guard for /i is a guard which defines a region of 
granularity /i. We define the (symbolic) universal automaton 
Z^ = ({0},{0},y,E,£;^,/«vv) by: 

. /w^(0) = TRUE, 

• (0,5,a,i?, 0) G i?^ for each {g,a,R) s.t. a £ T., R C 
Y, and g is a minimal guard for ji. 

U is finite because is finite. Nevertheless U is not 
deterministic because it can choose to reset different sets 
of clocks Y for a pair "(guard, letter)" (g, a). To diagnose 
A, we have to find when a set of clocks has to be reset. 
This can provide enough information to distinguish A-faulty 
words from non-faulty words. 

The algorithm of [9] requires the following steps: 

1) define the region graph RG{A{/S.) x U), 

2) compute a projection of this region graph: 

• let (g, a, R) be a label of an edge in RG{A{lS,) xU), 

• let g' be the unique minimal guard s.t. |g] C Ig'j; 

• define the projection pu{g, a, R) by {g' , X,Rr\Y) 
with X = a if a G Eq and pn{g,a,R) = r 
otherwise. 

The projected automaton pu{RG{A{A) x U)) is the au- 
tomaton RG{A{A) X U) where each label a is replaced 
by Pu{a). 

3) determinize pu{RG(A{A) x U)) (removing r actions) 
and obtain -ff^.A,/^, 

4) build a two-player safety game Ga,a./^ as follows: 

!• s m Ha. A, IX yields a 



each transition s 



transition in Ga.a.u of the form: 



1.9, aj 



(s,.g,a) 



(3, a, 5^) 



• the round-shaped state are the states of Player 1, 
whereas the square-shaped states are Player states 
(the choice of the clocks to reset). 

• the Bad states (for Player 0) are the states of the 
form {(^i,ri), (^2,''2), • • • ,(4,7'fc)} with both a 
A-faulty (in L3) and a non-faulty (in Li) location. 

The main results of [9] are: 

. there is a TA Z) e DTA^s.t. A is (£>, A)-diagnosable iff 
Player can win the safety game "avoid Bad" Ga,a./^, 
. it follows that Problem [8] can be solved in 2EXPTiME 
as GA,A,/i has size doubly exponential in A, A and /x, 



• the acceptance problem for Alternating Turing machines 
of exponential space can be reduced to Problem [8] and 
thus it is 2EXPTIME-hard. 

E. Problem [7| is in 2EXPTIME 

We now show how to modify the previous algorithm to 
solve Problem |7] and obtain the following result: 

Theorem 6: Problem |7] can be solved in 2EXPTIME. 
Proof: We modify the previous algorithm as follows: 

1) the automaton U is defined as follows: each location 
corresponds to a choice of a subset of events to ob- 
serve. Define the (symbolic) universal automaton U' = 
(2S,2S,y,S,£;^,/«v^) by: 

. for 5 e 2^, Inv^{S) = TRUE, 
. (5, .g, a, R, S') G E^, for each 5, S" G 2^, (5, a, R) 
s.t. a G S, i? C y, and g is a minimal guard for /z. 

2) when computing RG{A{A) xU')), the set of observable 
events (step 2 in the algorithm of section |V-D[ ) are 
defined according to the location S of W. Formally, 
the projection of a G S is a if the location of W is S 
and a E S and t otherwise. 

The size of RG{A{A) x U')) is \L\ ■ 2l^l ■\X{JY\\- /fl^uri 
where K is the maximal constant of A x U'; it is thus 
exponential in fi and S. The determinization is thus doubly 
exponential in A, /i and E. We can then build a new game 
G'a a as described in sectionp 



V-D 



before. The proof that the 
most permissive strategy in the new game a '^he most 
permissive observer is along the lines of the one given in [9] 
with minor modifications. Solving a safety game is linear in 
the size of the game and thus computing the most permissive 
observer of resource /i can de done in 2EXPTIME. ■ 
Remark 3: In [9] it is also proved that for Event Record- 
ing Automata (ERA) [16] Problem |8] becomes PSPACE- 
complete. This result does not carry over in our case, as 
there is still an exponential step with the choice of the sets 
of events to be observed. 

VI. Optimal Dynamic Observers 

In this section we extend the notion of cost defined for 
finite state observers in [3] to the case of timed observers. 

A. Weighted/Priced Timed Automata 

Weighted/priced timed automata were introduced in [17], 
[18] and they extend TA with prices/costs/weights on the 
time elapsing and discrete transitions. 

Definition 8 (Priced Timed Automata): A priced timed 
automaton (PTA) is a pair {A, Cost) where A = {L,£o,X, 
Et./, E, Inv) is a timed automaton and Cost is a cost function 
which is a mapping from L U -E to N. ■ 
Let 

Q = (£o,wo) ^ (4,^0 + (^o) ■ ■ • 



be a run of A. We denote by et = {£i, {gi,ai,Ri),£i+i) the 
discrete transition taken from {£i,Vi + 6i) to 



The cost of the run g is defined by: 

Cost{g) = S]igo..nCosf(^i) • Si + Eigo..„_iCoj'f(ei). 

The mean cost of g is defined to be the cost per time 
unit and giver|^ by Cost{g) = Cost{g) /Dur{g). The cost 
of runs of duration t E M>o is defined by Cost{t) — 
s\XY>{Cost{\Obs\{g)) \ Dur{g) — t\. The maximal mean cost 
of (A, Cost) is Cost{A) = lim sup(_j.o^ Cost{t). The minimal 
mean cost is defined dually and denoted Cost jA). 

B. Cost of an Observer 

To select a best or optimal dynamic observer which 
ensures A-diagnosability, we need to define a metric to 
compare them. We extend the one defined in [3] for DES 
to take into account (real) time elapsing. 

Let A be a TA and Obs a DTA observer. Obs is extended 
into a P(D)TA by associating costs with locations and 
transitions. The cost associated with the discrete transitions 
is the cost of switching on the sensors for a set of observable 
events, and the cost of a location is the cost per time unit of 
having a set of sensors activated. 

Let be a run of A. As Obs is deterministic (and complete) 
there is exactly one run of Obs the trace of which is 
\Obs\{tr{Q)) . Given g, let |(9fei](g) be this unique run. The 
average cost of the run g observed by Obs is Cost{\Obs\{g)). 

Given t £ M>o, the maximal mean cost of runs of duration 
t is defined by: 



sup {Cost{lObsj{g))}. 

e£Rims* {A)/\Diir{g)=t 



Cost{A, Obs, t) 

The maximal average cost of the pair < A, Obs > is defined 



Cost{<A,Obs>) = \mis\V£)Cost{A,Obs,t). 

t— f oo 

We can then state the following problem: 

Problem 9 ( Cost of an Observer): 
Inputs: A TA A and (Obs, Cost) a PDTA observer. 
Problem: Compute Cost{<A, Obs>). 

C. Computing the Cost of a Given Timed Observer 

The computation of optimal infinite schedules for TA has 
been addressed in [19]. The main result of [19] is: 

Theorem 7 (Minimal/Maximal Mean Cost [19]): Given a 
PTA A, computing Cost and Cost is PSPACE-complete. 
The definition of the cost of an observer is exactly the defi- 
nition of the maximal mean cost in [19] and thus: 

Theorem 8: Problem |9] is PSPACE-complete. 

Proof: PSPACE-easiness follows from Theorem|7j note 
that Theorem |7] assumes that the TA is bounded which 
is not a restriction as every TA can be transformed into 
an equivalent (timed bisimilar) bounded TA. For PSPACE- 
hardness, to compute the maximal mean cost of a PDTA 
B, let A be the universal automaton on the alphabet of B. 
Consider B as an observer and solve Problem |9] This solves 
the maximal mean cost computation problem for DTA. This 
completes the hardness proof. ■ 

'^Runs of duration are not taken into account. 
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Figure 2. Automaton B 



D. Optimal Synthesis Problem 

Checking whether the mean cost of a given observer is less 
than k requires that we have computed or are given such an 
observer. A more difficult version of Problem |9] is to check 
for the existence of cheap dynamic observer: 

Problem 10 (Bounded Cost Dynamic Observer): 
Inputs: A TA A = (L, 4, X, E^j, £:,/nv), A e N, /i a 
resource and fc e N. 
Problem: 

(A) Is there a dynamic observer D E DTA^s.t. A is {D, A)- 
diagnosable and Cost{<A,D>) <kl 

(B) If the answer to (A) is "yes", compute a witness 
dynamic observer? 



We cannot provide of proof that Problem 10 is decidable. 
However, we give a lower bound for Problem 10 and later 
discuss the exact complexity. 

Theorem 9: Problem [TOl is 2EXPTIME-hard. 

Proof: We reduce Problem [8] which is 2EXPTIME- 
hard [9] to Problem [TO] Let A be a TA for which we want to 
check whether there exists a DTA observer D e DTA^,s.t. A 
is (A, £))-diagnosable. 

Let a be a fresh letter not in S. Define the automaton B 
depicted on Figure |2] The upper part of B generates faulty 
and non-faulty runs with each letter including a. From each 
location of A (bottom part), we add a r transition to the 
initial state of B. The transitions of A are not depicted. 

For B to be diagnosable with A > 1, we must 
have: 1) a always observable and 2) E always observ- 
able. Moreover, if A is (A, E)-diagnosable, then B is 
(A, SU{a})-diagnosable. Conversely, if B is (A, SU{a})- 
diagnosable, then B is (A, S)-diagnosable. Hence A is 
(A, E) -diagnosable iff B is (A, S U {a})-diagnosable. 

Define the cost of the locations to be 1, and for the 
transitions in B. B is diagnosable with a DTA D e DTA^ iff 
there is a dynamic (yet it has to choose EUja} continuously) 
observer D with Cost{<A,D>) < 1. 

It follows that: there exists a DTA^ diagnoser D sX. A is 
(A, E) -diagnosable iff B is (A, 0)-diagnosable with a DTA 
observer O G DTA^ and Cost{<A, 0>) <l. ■ 
The status of Problem [TO] is clearly unsettled as the 2EXP- 
TIME-hardness result does not imply it is even decidable. 
A solution to this problem would be to mimic the one 
given for DES [3]: solve a mean payoff timed game with 



TABLE I 
Summary of the Results 





Static Observers 
Min. Cardinality 


Dynamic Observers 


Most Perm. Obs. 


Optimal Observer 


DES 


NP-Complete [1] 


2EXPTIME [1] 


2EXPTIME [2] 


TA 


PSPACE-Complete 


2EXPTIME 


2EXPTIME-hard 



a counterpart of Zwick and Paterson algorithm [20] using 



the most permissive observers obtained in section V-E The 
type of priced timed games we would have to solve has the 
following features: 1) they are turn-based, as one Player picks 
up (controllable moves) a set of events to be observed and 
then hands it over to the other Player who tries to produce 
a confusing run (uncontrollable moves); 2) they have at 
least two clocks (one for the system A and one for the DTA 
observer); 3) the controllable choices are urgent i.e., no time 
can elapse in Player 1 locations. We denote S-PTGA for the 
class of timed game automata previously defined. 

Unfortunately, there is no counterpart of the general result 
of Zwick & Paterson for timed automata. Only very few 
results are known for timed mean payoff games [21], [22], 
[23], [24] and none of them can be used in our setting. 
Nevertheless, due to the particular nature of the mean payoff 
price timed game we construct (in the class S-PTGA), we 
might be able to compute the optimal choices of observable 
events using an algorithm similar to [19]. Hence we could 



obtain a 2EXPTIME algorithm for Problem 10 



VII. Conclusion 

The results of the paper are summarized by the line "TA" 
in Table |l] The complexity/decidability status of Problem [TO] 
is left open. A solution to this problem would be to solve 
the following optimization problem on the class of S-PTGA: 

Problem 11 (Optimal Infinite Schedule in S-PTGA): 
Inputs: A S-PTGA (A, Cost), a set of Bad states and fc e N. 
Problem: Is there a strategy / for Player 1 in A s.t. f{A) (A 
controlled by /) avoids Bad and satisfies Cost{f{A)) < kl 
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